Cybercriminals use trust attacks to maliciously manipulate and insert
code into open source libraries, taking advantage of organizations’
dependence on them. Unsuspecting developers and site managers actively
introduce malware into their own software and websites when they use a
compromised OSL. When the infected code is distributed by a legitimate
developer, the resulting malicious software will be automatically
trusted by its users’ computers, infecting their computers and networks.

Since trust-based attacks can infect millions of computers very quickly,
it is critical that organizations increase their awareness about the
risks associated with OSL security. According to Xie, there are four
ways OSLs create risks for organizations:

Undetectable malware: The implicit trust afforded to OSLs –
which are often not moderated – means site managers and developers
pick up infected libraries and use them, without realizing malware has
been added.

Infected supply chains: The prolific use of OSLs across
enterprises means that if one piece of code is infected, a ripple
effect can carry the infected code across multiple businesses. Once an
infected library is in use, it’s likely the entire software
development supply chain will be impacted by the attack.

Legitimate-looking code: In addition to inserting malicious
code into genuine OSLs, threat actors often create and run their own
rogue OSLs. Given the large number of OSLs organizations use daily, it
can be difficult to distinguish those that are rogue from their
legitimate counterparts, and developers can be duped into using them.

Massive data leaks: Cybercriminals can leverage malware
inserted into an OSL after it has been incorporated into applications
and websites to create backdoors. Since the backdoors have been
created by trusted OSLs they are nearly undetectable, allowing
attackers to steal data, spy on users and disguise a wide range of
illicit activity.

“This is a very real problem, and recent research
from Sonatype revealed a 55 percent increase in breaches resulting
from OSL trust attacks in 2018,” said Xie. “It’s unrealistic, though, to
ask businesses to completely change their practices by limiting the use
of OSLs. Instead, the industry needs to work together to make open
source code more dependable.”

Venafi recommends that developers and consumers utilize code-signing
certificates to help determine which OSLs can be trusted – this is a
practical approach to validating the authenticity of an OSL. “In
addition, we encourage organizations to track internal OSL code,
recording library releases and any problems,” Xie concluded. “These
steps make it possible for OSL users to quickly identify issues,
simplifying the remediation process and helping the OSL community build
consensus on which OSLs are most trustworthy.”

Venafi is the cybersecurity market leader in machine identity
protection, securing machine-to-machine connections and communications.
Venafi protects machine identity types by orchestrating cryptographic
keys and digital certificates for SSL/TLS, IoT, mobile and SSH. Venafi
provides global visibility of machine identities and the risks
associated with them for the extended enterprise – on premises, mobile,
virtual, cloud and IoT – at machine speed and scale. Venafi puts this
intelligence into action with automated remediation that reduces the
security and availability risks connected with weak or compromised
machine identities while safeguarding the flow of information to trusted
machines and preventing communication with machines that are not trusted.

With over 30 patents, Venafi delivers innovative solutions for the
world’s most demanding, security-conscious Global 5000 organizations and
government agencies, including the top five U.S. health insurers; the
top five U.S. airlines; four of the top five U.S., U.K., Australian and
South African banks; and four of the top five U.S. retailers. Venafi is
backed by top-tier investors, including TCV, Foundation Capital, Intel
Capital, QuestMark Partners, Mercato Partners and NextEquity.